diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index bbbc974..efc8651 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1,12 +1,22 @@
-# Code owners: auto-assign reviewers for pull requests.
-# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+# CODEOWNERS — default review ownership
+# badhope is the sole owner; replace with team handles in a
+# multi-maintainer setup.
 
-# Default owner for everything in the repo.
+# Default: everything
 *       @badhope
 
-# Security-sensitive files get an explicit owner reminder.
-/SECURITY.md         @badhope
-/.github/workflows/  @badhope
-/.gitleaks.toml      @badhope
-/.github/dependabot.yml @badhope
-/CODEOWNERS          @badhope
+# GitHub configuration
+/.github/        @badhope
+
+# Documentation
+/docs/           @badhope
+/README.md       @badhope
+/CHANGELOG.md    @badhope
+
+# Build / release config
+/package.json    @badhope
+/uv.lock         @badhope
+/package-lock.json @badhope
+/pnpm-lock.yaml  @badhope
+/Cargo.toml      @badhope
+/Cargo.lock      @badhope
diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md
new file mode 100644
index 0000000..ea5ff0c
--- /dev/null
+++ b/.github/CONTRIBUTING.md
@@ -0,0 +1,63 @@
+# Contributing
+
+Thanks for your interest in contributing! This document covers the
+ground rules so your PR can land quickly and cleanly.
+
+## Branch & PR workflow
+
+> **Direct pushes to `main` are blocked by branch protection.**
+
+1. **Fork** (or create a feature branch if you have write access).
+2. **Branch off `main`**: `git switch -c feat/short-description`
+3. **Make focused commits** following
+   [Conventional Commits](https://www.conventionalcommits.org/):
+   - `feat: …`        — new feature
+   - `fix: …`         — bug fix
+   - `refactor: …`    — no behaviour change
+   - `docs: …`        — documentation only
+   - `chore(deps): …` — dependency bumps
+   - `security: …`    — security fix
+4. **Push your branch**: `git push -u origin feat/short-description`
+5. **Open a Pull Request** against `main`. Fill in the PR template.
+6. **Wait for CI** (gitleaks + CodeQL on every repo that has code).
+7. **Squash-merge** is the default. One commit per logical change.
+   The merge commit subject will become the PR title.
+
+## Code style
+
+- Match the existing style of the file you are editing.
+- Keep diffs minimal — don't reformat unrelated code.
+- Add tests for new behaviour. Bug fixes should add a regression test
+  that fails on `main` and passes on your branch.
+- No dead code, no commented-out code, no orphan TODO comments.
+
+## Security
+
+- **Never commit secrets, tokens, API keys, or `.env` files.**
+  Push-protection is on; if you bypass it, **rotate the credential**.
+  See [SECURITY.md](./SECURITY.md).
+- Don't paste stack traces that contain real user data in issues.
+- If you find a vulnerability, follow the
+  [private disclosure process](./SECURITY.md) — do not open a public
+  issue.
+
+## Dependencies
+
+- Dependabot opens weekly PRs for all package ecosystems detected
+  in the repo (npm, pip, cargo, docker, github-actions, gitsubmodule,
+  composer, gomod, bundler, nuget, maven, gradle).
+- Dependabot PRs are auto-mergeable when CI passes — they do not need
+  a review from a human (the branch is signed and the diff is small).
+- Major-version bumps that touch lockfiles will be reviewed manually.
+
+## Issue triage
+
+- New issues are auto-labelled **bug** / **enhancement** / **security**
+  via the issue templates.
+- Please use the right template. Issues without a template take longer
+  to triage.
+
+## License
+
+By submitting a contribution, you agree that your work will be
+licensed under the same license as the repository.
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index 3bedff1..5564df2 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -1,47 +1,40 @@
 ---
-name: Bug Report
-about: 报告一个 bug，帮助我们改进 TaskFlow
-title: '[Bug] '
+name: Bug report
+about: Something is broken
+title: "[bug] "
 labels: bug
-assignees: ''
+assignees: badhope
 ---
 
-## 🐛 Bug 描述
+## Describe the bug
 
-清晰、简洁地描述这个 bug 是什么。
+<!-- A clear and concise description of what the bug is. -->
 
-## 🔄 复现步骤
+## To reproduce
 
-1. 打开 '...'
-2. 点击 '...'
-3. 滚动到 '...'
-4. 看到错误
+```bash
+# Minimal reproduction steps
+```
 
-## ✅ 期望行为
+## Expected behaviour
 
-清晰、简洁地描述你期望发生的事情。
+<!-- What you expected to happen. -->
 
-## ❌ 实际行为
+## Actual behaviour
 
-清晰、简洁地描述实际发生的事情。
+<!-- What actually happened. Include stack traces, error messages,
+screenshots. -->
 
-## 📸 截图
+## Environment
 
-如果可以，添加截图来帮助解释问题。
+- OS: <!-- e.g. macOS 14.4 -->
+- Runtime version: <!-- e.g. Node 20.11, Python 3.11 -->
+- Package version: <!-- git rev-parse HEAD, or npm/pip version -->
+- Date observed: <!-- 2026-06-10 -->
 
-## 🌍 环境
+## Severity
 
-- **平台**: [ ] Web  [ ] Android  [ ] iOS
-- **设备**: 例如 iPhone 14 / Pixel 7 / Chrome 120
-- **OS 版本**: 例如 iOS 17.2 / Android 14 / Windows 11
-- **浏览器** (Web): 例如 Chrome 120 / Safari 17
-- **App 版本**: v1.1.0
-- **Node 版本** (开发): 例如 18.18.0
-
-## 📋 额外信息
-
-添加任何其他关于问题的信息，比如上下文、相关 issue 等。
-
-## 🛠️ 调试信息
-
-请运行 `npx expo-doctor` 并粘贴输出（如果是开发环境问题）。
+- [ ] Blocker — production is down
+- [ ] High — feature unusable
+- [ ] Medium — workaround exists
+- [ ] Low — cosmetic
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
index d0f3b26..81ecb8d 100644
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -1,40 +1,25 @@
 ---
-name: Feature Request
-about: 为 TaskFlow 提出一个新功能建议
-title: '[Feature] '
+name: Feature request
+about: Suggest an idea
+title: "[feat] "
 labels: enhancement
-assignees: ''
+assignees: badhope
 ---
 
-## 🚀 功能描述
+## Problem
 
-清晰、简洁地描述你想要的功能。
+<!-- What's the underlying problem or gap? -->
 
-## 💡 动机 / 背景
+## Proposed solution
 
-这个功能解决了什么问题？什么使用场景需要它？
+<!-- Describe the feature you'd like. -->
 
-例如：我在使用 TaskFlow 时经常需要 [...], 但是当前 [...]
+## Alternatives considered
 
-## 🎯 期望行为
+<!-- Other ways you thought about solving this. -->
 
-清晰、简洁地描述你期望发生什么。
+## Willingness to contribute
 
-## 🔄 替代方案
-
-你考虑过的其他替代方案及其优缺点。
-
-## 📸 草图 / 截图
-
-如果可以，附上简单的草图或参考截图。
-
-## 📋 优先级
-
-- [ ] P0 - 必须（核心功能缺失）
-- [ ] P1 - 重要（显著提升体验）
-- [ ] P2 - 一般（锦上添花）
-- [ ] P3 - 可选（Nice to have）
-
-## 📋 额外信息
-
-任何其他相关信息、相关 issue、参考实现等。
+- [ ] I would submit a PR for this
+- [ ] I would test a PR for this
+- [ ] I would only discuss / design
diff --git a/.github/ISSUE_TEMPLATE/security_report.md b/.github/ISSUE_TEMPLATE/security_report.md
new file mode 100644
index 0000000..8d710e5
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/security_report.md
@@ -0,0 +1,39 @@
+---
+name: Security report
+about: Report a vulnerability (PRIVATE)
+title: "[security] "
+labels: security
+assignees: badhope
+---
+
+> **Please do not disclose the vulnerability in a public issue.**
+> Use this private channel and the repository owner will respond within
+> 7 days. If you cannot wait, email the security contact listed in
+> [SECURITY.md](./SECURITY.md).
+
+## Summary
+
+<!-- One-paragraph summary of the vulnerability. -->
+
+## Affected component(s)
+
+- File(s):
+- Function(s) / endpoint(s):
+- Version / commit SHA:
+
+## Severity (your estimate)
+
+- [ ] Critical
+- [ ] High
+- [ ] Medium
+- [ ] Low
+
+## Reproduction
+
+```bash
+# Minimal steps / payload
+```
+
+## Impact
+
+<!-- What an attacker can do. -->
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
index 3834887..673eccd 100644
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -1,27 +1,36 @@
 ## What
 
-<!-- One line: what this PR does -->
+<!-- One-paragraph description of the change. -->
 
 ## Why
 
-<!-- The reason. What problem does this fix / what value does it add? -->
+<!-- Motivation. Link any issue this PR fixes (Fixes #123). -->
 
 ## How
 
-<!-- Approach, breaking changes, anything weird you did -->
+<!-- Approach: list the changes, files touched, design decisions. -->
 
-## Tested
+## Test plan
 
-<!-- How you tested. If you didn't, say so and tell me why -->
+<!-- How did you verify? Which commands, which test suites? -->
 
-## Checklist
+- [ ] Existing tests pass
+- [ ] Added tests for new behaviour
+- [ ] Manually verified in dev / staging
+
+## Risk & rollout
 
-- [ ] I have read [`CONTRIBUTING.md`](./CONTRIBUTING.md)
-- [ ] Tests pass locally (and CI is green)
-- [ ] I didn't add any new linter / typecheck warnings
-- [ ] I didn't commit any secrets, build output, or large binaries
-- [ ] I added a `CHANGELOG.md` entry under "Unreleased" if it matters
+<!-- What can break? Is rollback straightforward? Is there a feature flag? -->
+
+## Checklist
 
-## Screenshots / Logs
+- [ ] My branch is up-to-date with the base branch
+- [ ] I ran `gitleaks` locally (or let CI do it)
+- [ ] I added / updated tests for new behaviour
+- [ ] I updated documentation (README, CHANGELOG, …)
+- [ ] I did **not** commit any secrets, tokens, or credentials
+- [ ] My commit messages follow [Conventional Commits](https://www.conventionalcommits.org/)
 
-<!-- Drag in images for UI changes. Paste (redacted) logs for runtime changes. -->
+> **Never commit secrets.** If you accidentally committed a token,
+> rotate it **immediately** in the provider's settings, then update
+> the PR to remove the secret. See [SECURITY.md](./SECURITY.md).